.TH tinysshd 8
.SH NAME
tinysshd \- Tiny SSH daemon
.SH SYNOPSIS
.B tinysshd
[ options ]
.I keydir
.SH DESCRIPTION
.B tinysshd
is a minimalistic SSH server which implements only a subset of SSHv2 features.
.sp
.B tinysshd
supports only secure cryptography (minimum 128\-bit security, protected against cache\-timing attacks)
.sp
.B tinysshd
doesn't implement older crypto (such as RSA, DSA, HMAC\-MD5, HMAC\-SHA1, 3DES, RC4, ...)
.sp
.B tinysshd
doesn't implement unsafe features (such as password or hostbased authentication)
.sp
.B tinysshd
doesn't have features such: SSH1 protocol, compression, port forwarding, agent forwarding, X11 forwarding ...
.sp
.B tinysshd
doesn't use dynamic memory allocation (no allocation failures, etc.)
.SH OPTIONS
.TP
.B \-q
no error messages
.TP
.B \-Q
print error messages (default)
.TP
.B \-v
print extra information
.TP
.B \-s
enable state\-of\-the\-art crypto (default)
.sp
signing \- ssh\-ed25519
.sp
key-exchange \- curve25519\-sha256
.sp
symmetric \- chacha20\-poly1305@openssh.com
.TP
.B \-S
disable state\-of\-the\-art crypto
.TP
.B \-p
enable post\-quantum crypto (default)
.sp
signing \- TODO (not implemented yet)
.sp
key-exchange \- sntrup761x25519\-sha512@openssh.com
.sp
symmetric \-  chacha20\-poly1305@openssh.com
.TP
.B \-P
disable post\-quantum crypto
.TP
.B \-l
use syslog instead of standard error output (useful for running from inetd)
.TP
.B \-L
don't use syslog, use standard error output (default)
.TP
.B \-x \fIname=command
add subsystem command (e.g.: sftp=/usr/libexec/openssh/sftp\-server)
.TP
.B \-e \fIcommand
execute the given command instead of spawning the shell (disables \fIexec\fR/\fIsubsystem\fR channel requests)
.TP
.I keydir
directory containing TinySSH keys, typically /etc/tinyssh/sshkeydir
.SH AUTHORIZATION
.B tinysshd
supports only public-key authorization via
.B AuthorizedKeysFile
~/.ssh/authorized_keys. Each line of the file contains one key in format "keytype base64-encoded-key comment".
.B tinyssh
supports only "ssh-ed25519" keytype.
.sp
~/.ssh/authorized_keys example:
.nf
.RS 2
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV5AGhGQ1QVXjBWhTKJP3vrqE3isL4ivisBailQ14gS comment
.RE
.SH RUNNING
.TP
.B TCPSERVER
tcpserver \-HRDl0 0.0.0.0 22 /usr/sbin/tinysshd \-v /etc/tinyssh/sshkeydir &
.TP
.B BUSYBOX
busybox tcpsvd 0 22 tinysshd \-v /etc/tinyssh/sshkeydir &
.TP
.B INETD
.RS 4
/etc/inetd.conf:
.RS 4
ssh stream tcp nowait root /usr/sbin/tinysshd tinysshd \-l \-v /etc/tinyssh/sshkeydir
.RE
.RE
.TP
.B SYSTEMD
.RS 4
tinysshd.socket:
.RS 4
.nf
[Unit]
Description=TinySSH server socket
ConditionPathExists=!/etc/tinyssh/disable_tinysshd

[Socket]
ListenStream=22
Accept=yes

[Install]
WantedBy=sockets.target
.fi
.RE
.RE
.sp
.RS 4
tinysshd@.service:
.RS 4
.nf
[Unit]
Description=Tiny SSH server
After=network.target auditd.service

[Service]
ExecStartPre=\-/usr/sbin/tinysshd\-makekey \-q /etc/tinyssh/sshkeydir
EnvironmentFile=\-/etc/default/tinysshd
ExecStart=/usr/sbin/tinysshd ${TINYSSHDOPTS} \-\- /etc/tinyssh/sshkeydir
KillMode=process
SuccessExitStatus=111
StandardInput=socket
StandardError=journal

[Install]
WantedBy=multi\-user.target
.fi
.RE
.RE
.SH SEE ALSO
.BR tinysshd\-makekey (8),
.BR tinysshd\-printkey (8)
.sp
.nf
https://tinyssh.org/
.fi
